McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Lovegate

• W32/LovGate-D (Sophos)

• W32/Lovgate.b1

Characteristics

-- Update 06 March 2003 --
A new variant has been reported of 84,997 bytes in size (similar to W32/Lovgate.b@MM). It has been proactively detected since 4249 DATs.
--

This worm propagates via email (it contains its own SMTP engine) and copying itself over network shares. Additionally it may drop a backdoor component (port 10168 is opened on victim machines).

When executed, it copies itself to the %System% folder as:

• WinGate.exe
• rpcsrv.exe
• syshelp.exe
• winrpc.exe
• WinRpcsrv.exe

The backdoor component may also be dropped to the %System% directory (multiple times with various filenames):

• 1.dll
• reg.dll
• ily.dll
• task.dll

(Note: %System% is the Windows System folder, which is usually C:\Windows\System on Windows 9x/ME, C:\WINNT\System32 on Windows NT/2000, or C:\Windows\System32 on Windows XP.)

The following Registry keys are added to hook system startup:

A system startup hook is also added for the backdoor component:

The following Registry key is modified to hook the execution of text files:

When executed on Windows NT/2000, the worm installs itself as a service, with the display name 'Window Remote Service' (set to run the copy of the worm with the filename WINRPCSRV.EXE). One of the dropped backdoor components (TASK.DLL) is also installed as two services, with the following display names:

1. dll_reg
2. Windows Management Extension

The worm also modifies the WIN.INI by adding a 'Run' command as follows:

Mailing Component

The worm is capable of sending a reply to all new messages found in the user inbox (Outlook and Outlook Express) by using its own SMTP engine. It will also attach itself to the message as any one of the files listed below. This kind of propagation strategy would make this worm spread slower than classic mass-mailers and this is reflected in '@M' suffix.

If for example you have a message in your INBOX from '???@wherever.com' the worm will reply to the message as follows:

>Get your Free wherever.com account now! <

Worm Component

The worm has capabilities of propagating through network shares. It enumerates network shares and copies itself recursively to folders/subfolders, using the following filenames:

• fun.exe
• humor.exe
• docs.exe
• s3msong.exe
• midsong.exe
• billgt.exe
• Card.EXE
• SETUP.EXE
• searchURL.exe
• tamagotxi.exe
• hamster.exe
• news_doc.exe
• PsPGame.exe
• joke.exe
• images.exe
• pics.exe

Backdoor Component

The worm may drop a trojan component, which is detected by the 4249 DATs and higher as Backdoor-AQJ. The backdoor opens port 10168 on the computer and will send an email notification to the hacker that the computer has been compromised. The following address is intended as the notification recipient:

Information about the infected machine is also sent to the hacker. This information may include the system password.

Symptoms

• Presence of the Registry key values mentioned as above.
• Presence of the files mentioned as above.
• Port 10168 open on the victim machine.

Method of Infection

This worm propagates via email and network shares. It copies itself to folders/subfolders on open shares, and replies to messages in the user inbox.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). However, the 4249 and 4250 DAT files contain instructions to reset the TXTFILE SHELL OPEN COMMAND to C:\WINDOWS\NOTEPAD.EXE. This is the incorrect path on some systems. This will be corrected in the 4251 DAT files. Additionally the 4.2.40 engine and 4250 DAT files are required to remove the registry keys associated with the virus/backdoor. This registry script (FixLovgate.reg) will correct the TXTFILE key value, remove the keys associated with the services, and remove the run keys.

The 1.DLL file is injected into the LSASS.EXE process, which prevents it from being deleted. This file will be detected as BackDoor-AQJ, but requires a reboot for the removal to complete. Stinger can be used to remove W32/Lovgate@M and BackDoor-AQJ completely, without requiring a reboot.

The 4.2.40 engine, or Stinger, is required to remove the registry keys associated with the virus/trojan running as a service.

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Lovgate.b@M

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Lovegate

• W32/LovGate-D (Sophos)

• W32/Lovgate.b1

Characteristics

Characteristics -

-- Update 06 March 2003 --
A new variant has been reported of 84,997 bytes in size (similar to W32/Lovgate.b@MM). It has been proactively detected since 4249 DATs.
--

This worm propagates via email (it contains its own SMTP engine) and copying itself over network shares. Additionally it may drop a backdoor component (port 10168 is opened on victim machines).

When executed, it copies itself to the %System% folder as:

• WinGate.exe
• rpcsrv.exe
• syshelp.exe
• winrpc.exe
• WinRpcsrv.exe

The backdoor component may also be dropped to the %System% directory (multiple times with various filenames):

• 1.dll
• reg.dll
• ily.dll
• task.dll

(Note: %System% is the Windows System folder, which is usually C:\Windows\System on Windows 9x/ME, C:\WINNT\System32 on Windows NT/2000, or C:\Windows\System32 on Windows XP.)

The following Registry keys are added to hook system startup:

A system startup hook is also added for the backdoor component:

The following Registry key is modified to hook the execution of text files:

When executed on Windows NT/2000, the worm installs itself as a service, with the display name 'Window Remote Service' (set to run the copy of the worm with the filename WINRPCSRV.EXE). One of the dropped backdoor components (TASK.DLL) is also installed as two services, with the following display names:

1. dll_reg
2. Windows Management Extension

The worm also modifies the WIN.INI by adding a 'Run' command as follows:

Mailing Component

The worm is capable of sending a reply to all new messages found in the user inbox (Outlook and Outlook Express) by using its own SMTP engine. It will also attach itself to the message as any one of the files listed below. This kind of propagation strategy would make this worm spread slower than classic mass-mailers and this is reflected in '@M' suffix.

If for example you have a message in your INBOX from '???@wherever.com' the worm will reply to the message as follows:

>Get your Free wherever.com account now! <

Worm Component

The worm has capabilities of propagating through network shares. It enumerates network shares and copies itself recursively to folders/subfolders, using the following filenames:

• fun.exe
• humor.exe
• docs.exe
• s3msong.exe
• midsong.exe
• billgt.exe
• Card.EXE
• SETUP.EXE
• searchURL.exe
• tamagotxi.exe
• hamster.exe
• news_doc.exe
• PsPGame.exe
• joke.exe
• images.exe
• pics.exe

Backdoor Component

The worm may drop a trojan component, which is detected by the 4249 DATs and higher as Backdoor-AQJ. The backdoor opens port 10168 on the computer and will send an email notification to the hacker that the computer has been compromised. The following address is intended as the notification recipient:

Information about the infected machine is also sent to the hacker. This information may include the system password.

Symptoms

Symptoms -

• Presence of the Registry key values mentioned as above.
• Presence of the files mentioned as above.
• Port 10168 open on the victim machine.

Method of Infection

Method of Infection -

This worm propagates via email and network shares. It copies itself to folders/subfolders on open shares, and replies to messages in the user inbox.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). However, the 4249 and 4250 DAT files contain instructions to reset the TXTFILE SHELL OPEN COMMAND to C:\WINDOWS\NOTEPAD.EXE. This is the incorrect path on some systems. This will be corrected in the 4251 DAT files. Additionally the 4.2.40 engine and 4250 DAT files are required to remove the registry keys associated with the virus/backdoor. This registry script (FixLovgate.reg) will correct the TXTFILE key value, remove the keys associated with the services, and remove the run keys.

The 1.DLL file is injected into the LSASS.EXE process, which prevents it from being deleted. This file will be detected as BackDoor-AQJ, but requires a reboot for the removal to complete. Stinger can be used to remove W32/Lovgate@M and BackDoor-AQJ completely, without requiring a reboot.

The 4.2.40 engine, or Stinger, is required to remove the registry keys associated with the virus/trojan running as a service.

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Lovgate.b@M